Add production deployment configuration and CI/CD

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      actions:
+        patterns:
+          - "*"

.github/workflows/build-deploy.yml

@@ -0,0 +1,132 @@
+name: Build and Deploy CKAN
+
+on:
+  push:
+    branches: [master, ckan211-prod-deploy-pr]
+    tags: ["v*"]
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: "Image tag to deploy (e.g., sha-abc1234 or v1.0.0)"
+        required: true
+        type: string
+      environment:
+        description: "Target environment"
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+
+env:
+  ACR_NAME: adracr
+  IMAGE_NAME: ckan
+
+jobs:
+  build:
+    if: github.event_name != 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    outputs:
+      image_tag: ${{ steps.set-env.outputs.image_tag }}
+      environment: ${{ steps.set-env.outputs.environment }}
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          submodules: recursive
+
+      - name: Determine environment and image tag
+        id: set-env
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            echo "environment=production" >> $GITHUB_OUTPUT
+            echo "image_tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          else
+            echo "environment=staging" >> $GITHUB_OUTPUT
+            echo "image_tag=sha-$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.6.1
+        with:
+          images: ${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha
+            type=ref,event=tag
+
+      - name: Login to ACR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ${{ env.ACR_NAME }}.azurecr.io
+          username: ${{ secrets.ACR_USERNAME }}
+          password: ${{ secrets.ACR_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.10.0
+        with:
+          context: .
+          file: deploy/Dockerfile.prod
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  deploy:
+    if: always() && (needs.build.result == 'success' || github.event_name == 'workflow_dispatch')
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ github.event_name == 'workflow_dispatch' && inputs.environment || needs.build.outputs.environment }}
+      url: ${{ steps.params.outputs.url }}
+    steps:
+      - name: Set deploy params
+        id: params
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            ENV="${{ inputs.environment }}"
+            echo "image_tag=${{ inputs.image_tag }}" >> $GITHUB_OUTPUT
+          else
+            ENV="${{ needs.build.outputs.environment }}"
+            echo "image_tag=${{ needs.build.outputs.image_tag }}" >> $GITHUB_OUTPUT
+          fi
+
+          if [[ "$ENV" == "production" ]]; then
+            echo "namespace=adr-p" >> $GITHUB_OUTPUT
+            echo "url=https://adr-p.fjelltopp.org" >> $GITHUB_OUTPUT
+          else
+            echo "namespace=adr-s" >> $GITHUB_OUTPUT
+            echo "url=https://dev.adr.fjelltopp.org" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG_BASE64 }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Deploy to AKS
+        run: |
+          # Determine env config file
+          if [[ "${{ steps.params.outputs.namespace }}" == "adr-p" ]]; then
+            ENV_CONFIG="deploy/production.ini"
+          else
+            ENV_CONFIG="deploy/staging.ini"
+          fi
+
+          # Create/update env ConfigMap
+          kubectl create configmap ckan-env-config \
+            --from-file=env.ini=$ENV_CONFIG \
+            -n ${{ steps.params.outputs.namespace }} \
+            --dry-run=client -o yaml | kubectl apply -f -
+
+          # Update image
+          kubectl set image deployment/ckan \
+            ckan=${{ env.ACR_NAME }}.azurecr.io/${{ env.IMAGE_NAME }}:${{ steps.params.outputs.image_tag }} \
+            -n ${{ steps.params.outputs.namespace }}
+          kubectl rollout status deployment/ckan -n ${{ steps.params.outputs.namespace }} --timeout=5m

.github/workflows/reindex-solr.yml

@@ -0,0 +1,38 @@
+name: Rebuild Solr Index
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Target environment"
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+
+jobs:
+  reindex:
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ inputs.environment }}
+    steps:
+      - name: Set namespace
+        id: params
+        run: |
+          if [[ "${{ inputs.environment }}" == "production" ]]; then
+            echo "namespace=adr-p" >> $GITHUB_OUTPUT
+          else
+            echo "namespace=adr-s" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup kubeconfig
+        run: |
+          mkdir -p ~/.kube
+          echo "${{ secrets.KUBECONFIG_BASE64 }}" | base64 -d > ~/.kube/config
+          chmod 600 ~/.kube/config
+
+      - name: Rebuild Solr index
+        run: |
+          kubectl exec deployment/ckan -n ${{ steps.params.outputs.namespace }} -- \
+            ckan -c /tmp/production.ini search-index rebuild -i -q

.gitignore

@@ -112,3 +112,7 @@ src/
 # Hide translation .po file copies
 build/translations/*
 demo_venv/
+
+# Local configuration and utility scripts (for personal use)
+.vuhitra/
+rebuild_solr_index.sh

.gitmodules

@@ -59,3 +59,5 @@
 [submodule "submodules/ckanext-geoview"]
 	path = submodules/ckanext-geoview
 	url = https://github.com/ckan/ckanext-geoview.git
+[submodule "submodules/ckanext-unaids"]
+	url = git@github.com:/fjelltopp/ckanext-unaids.git

ckan/ckan_supervisor.conf

@@ -5,7 +5,7 @@ file=/tmp/supervisor.sock
 
 [supervisord]
 nodaemon=true
-logfile=/dev/fd/1
+logfile=/dev/stdout
 logfile_maxbytes=0
 pidfile=/tmp/supervisord.pid
 
@@ -17,41 +17,41 @@ serverurl=unix:///tmp/supervisor.sock
 ; ===============================
 [program:ckan_gather_consumer]
 
-command=/usr/local/bin/ckan --config=/etc/ckan/ckan.ini harvester gather-consumer
+command=%(ENV_CKAN_VENV)s/bin/ckan --config=%(ENV_CONFIG)s harvester gather-consumer
 
 ; user that owns virtual environment.
 user=root
 
-stdout_logfile=/dev/fd/1
+stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
-stderr_logfile=/dev/fd/2
+stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 autorestart=true
 
 [program:ckan_fetch_consumer]
 
-command=/usr/local/bin/ckan --config=/etc/ckan/ckan.ini harvester fetch-consumer
+command=%(ENV_CKAN_VENV)s/bin/ckan --config=%(ENV_CONFIG)s harvester fetch-consumer
 
 ; user that owns virtual environment.
 user=root
 
-stdout_logfile=/dev/fd/1
+stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
-stderr_logfile=/dev/fd/2
+stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 autorestart=true
 
 [program:ckan_harvester_run]
 
-command=/bin/bash -c "sleep 2m && /usr/local/bin/ckan --config=/etc/ckan/ckan.ini harvester run "
+command=/bin/bash -c "sleep 2m && %(ENV_CKAN_VENV)s/bin/ckan --config=%(ENV_CONFIG)s harvester run "
 ; user that owns virtual environment.
 user=root
 
-stdout_logfile=/dev/fd/1
+stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
-stderr_logfile=/dev/fd/2
+stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 autorestart=true
@@ -63,11 +63,11 @@ autorestart=true
 [program:ckan-worker]
 
 ; Use the full paths to the virtualenv and your configuration file here.
-command=/usr/local/bin/ckan -c /etc/ckan/ckan.ini jobs worker
+command=%(ENV_CKAN_VENV)s/bin/ckan -c %(ENV_CONFIG)s jobs worker
 
 
 ; User the worker runs as.
-user=ckan
+user=root
 
 
 ; Start just a single worker. Increase this number if you have many or
@@ -77,9 +77,9 @@ process_name=%(program_name)s-%(process_num)02d
 
 
 ; Log files.
-stdout_logfile=/dev/fd/1
+stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
-stderr_logfile=/dev/fd/2
+stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 
 ; Make sure that the worker is started on system start and automatically
@@ -95,3 +95,31 @@ startsecs=10
 ; Need to wait for currently executing tasks to finish at shutdown.
 ; Increase this if you have very long running tasks.
 stopwaitsecs = 600
+
+; ===============================
+; nginx reverse proxy
+; ===============================
+[program:nginx]
+command=/usr/sbin/nginx -g "daemon off;"
+user=root
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+autorestart=true
+priority=10
+
+; ===============================
+; uWSGI CKAN application
+; ===============================
+[program:uwsgi]
+command=/usr/local/bin/uwsgi --ini /usr/lib/adx/uwsgi.ini
+user=root
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+autorestart=true
+priority=20